IETF Logo Mail Archive

Re: [dns-privacy] Datatracker State Update Notice: <draft-ietf-dprive-rfc7626-bis-04.txt>

Brian Dickson <brian.peter.dickson@gmail.com> Thu, 14 May 2020 00:49 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48F613A0895; Wed, 13 May 2020 17:49:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CX5r-kvE_Dis; Wed, 13 May 2020 17:49:43 -0700 (PDT)
Received: from mail-ua1-x92d.google.com (mail-ua1-x92d.google.com [IPv6:2607:f8b0:4864:20::92d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D289A3A0820; Wed, 13 May 2020 17:49:42 -0700 (PDT)
Received: by mail-ua1-x92d.google.com with SMTP id a11so507940uah.12; Wed, 13 May 2020 17:49:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=COiMoOSMb1fGPJQFHyvpoY3LGFG6knbtYJ5fpVxQDJw=; b=HODVXOLguUkQR0Eo6OAyFr07Rcd1fy8c896H0qBRQAtpUZFCtE7UcMQemvjTaysPY1 0TgTndBnUML2Rx7zHixmcSMradqHtfBWnakj64KZjGBmpBWbJJi4YNnu8q3x3n7NFhY1 MzA7zVz4eJlrr3aSjLCTpybLihBo4wFsPbMUZNVwtqJgGFcnGW0walw0rDevpD+cZfYt qXRhvTZxZn+qWFNMyTRAzkjPUv16uMvg54gc2o5R6suvVSPP2k4FjHUlG/q7fP/OoP+g XZIvwFMkqsVzO26gprYq1NLAPbFeC6ODT6YkHftHUCm+TKivxTLaT7ootJZIz/9iCrZo X2Hg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=COiMoOSMb1fGPJQFHyvpoY3LGFG6knbtYJ5fpVxQDJw=; b=qpgEpk4c+SB2/LL13APbba+FGSBmJthE9E99t468wxMkVp9deDy5hOo0sSGTjmEA3U xQJnpEqk9Fj+czwnhA9/C/gns5FFUV4f1pWr6/g8I057LMAXVFa36XvLGB480K8vdA/c ozJ1Iw2A/sj1iqSW/Nh53/XkXjWi2EyRlXgWxEm6ZN5/7cnyOJjI9OCGgV/agoTDQ5hZ eBT39VQJnYMPLvFYmGw7wkupbQHYDKwwjczSWOSs7Zd3jgirAFQ+qxpWFHgv/p2ZrxwZ xkIxdTd+JPTkbaBjy13Dz2sp0mb28R+GzxcHVAVqKPVFYqj2g6yJtnB4G2I8MKO4pTwv DzEA==
X-Gm-Message-State: AOAM531bzMtvYplrk19MNFYWot9JdpWeXw96waw/K0vCnnC3wn1Tb538 1aYs2kBRuLvKdMAgxK+gKEzzFRwxU+j6j/HEk7yrxw==
X-Google-Smtp-Source: ABdhPJwRy6AyMWsMieBTd5aig7aD8L4iWW1ClCSdhr5qQFQOu1ifGOiIHmFPoQxuNTJ216BGu1uQU92H+hVxghhKODw=
X-Received: by 2002:ab0:22c5:: with SMTP id z5mr1974368uam.48.1589417381839; Wed, 13 May 2020 17:49:41 -0700 (PDT)
MIME-Version: 1.0
References: <157955609351.1744.15099511006231348523.idtracker@ietfa.amsl.com> <F6C06842-9D76-45DF-84A0-B0C4D724E66E@sinodun.com> <CABcZeBPVocy593=WJM2k3Ytrwg36qc_1d4VQH3otRM5qyvZwLA@mail.gmail.com> <1388052392.1781.1586274052101@appsuite-gw1.open-xchange.com> <CABcZeBNi2LKvGFcmTM0uC+rFEVm5tgw6Zo1LS_CoO5=Zo0zqSA@mail.gmail.com> <C03AC6C2-9DCB-448A-B906-3062BD616E31@sinodun.com> <CAMOjQcGrWXFpStp=iVbo1jVN3qnen8rC71SyXv6evY2-MgUdxg@mail.gmail.com> <3345FB83-A19A-4542-8A8E-C535884B157F@sinodun.com> <CABcZeBPP6J=a=hW6BLcMnKawupa3RjjpYAzgZ317=ryLy39n+A@mail.gmail.com> <8CEFE3CB-A88C-4BBC-95B8-9850142DB5EE@sinodun.com> <CABcZeBPF41eq-HYXdYScx7bqYyUO7-oH6zWKqj7Ka23u8x_E4A@mail.gmail.com> <ACA9854E-00B7-4776-A850-E5069C672121@cisco.com> <CABcZeBOxN7iNTLFUw7JDc4ZGH_u4awys3g52de29CuOyQv2JUQ@mail.gmail.com> <C8B168D0-F719-405F-892F-14573A7C568D@sinodun.com> <CABcZeBPGAgqSPKWXKaL6kK5CYzgK+RmwFrMwhc6ED7aGnV_ayA@mail.gmail.com> <8AB227E2-F968-47C4-9EB6-40A988263892@sinodun.com> <4fc44293-cdd9-24b7-cf26-1451a3652f73@huitema.net> <541315765.30668.1589285684382@appsuite-gw2.open-xchange.com> <CAHbrMsBrB-BGog8kjE0WRBpNVZ16z-nBSpKXXzUYrfwm1bY68A@mail.gmail.com>
In-Reply-To: <CAHbrMsBrB-BGog8kjE0WRBpNVZ16z-nBSpKXXzUYrfwm1bY68A@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Wed, 13 May 2020 17:49:30 -0700
Message-ID: <CAH1iCipJ0kxupdiUbPzs44Ud_bchuy9-sHHi8Ev1pTq4u9ykFQ@mail.gmail.com>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
Cc: Vittorio Bertola <vittorio.bertola=40open-xchange.com@dmarc.ietf.org>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, Christian Huitema <huitema@huitema.net>, "draft-ietf-dprive-rfc7626-bis@ietf.org" <draft-ietf-dprive-rfc7626-bis@ietf.org>, "dprive-chairs@ietf.org" <dprive-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000071cb8a05a5911217"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/p9SJBnSesJvv6WMLEI1euWBBqBk>
Subject: Re: [dns-privacy] Datatracker State Update Notice: <draft-ietf-dprive-rfc7626-bis-04.txt>
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 May 2020 00:49:47 -0000

On Tue, May 12, 2020 at 8:13 PM Ben Schwartz <bemasc=
40google.com@dmarc.ietf.org> wrote:

>
>
> On Tue, May 12, 2020 at 8:15 AM Vittorio Bertola <vittorio.bertola=
> 40open-xchange.com@dmarc.ietf.org> wrote:
>
>>
>> Il 11/05/2020 21:35 Christian Huitema <huitema@huitema.net> ha scritto:
>>
>> I found the discussion of application embedded resolvers bizarre. It
>> speaks of applications in general, but the way the text is set-up appears
>> to be a specific dig against Mozilla. Look at the text: "popular
>> applications directing DNS traffic by default to specific dominant
>> resolvers". It boils down to accusing some unnamed application of
>> deliberately contributing to centralization. I find that problematic, and
>> also very imprecise.. I think this should be rewritten in a much more
>> neutral way.
>>
>> I think this section has already been rewritten at least half a dozen
>> times, and every time there was a claim that it is not neutral (sometimes
>> even on text that previously seemed to be ok). Every time the authors put
>> the effort to rewrite it once again according to the comment, and every
>> time a new comment comes in saying that this is not enough. I admire their
>> patience.
>>
>> In any case, I don't know Mozilla's view on whether this is a specific
>> dig against them, but it is meant as a discussion on privacy impacts of a
>> specific deployment model, not of a specific company's policy. These
>> privacy impacts, even if with very variable views, have been the subject of
>> many conferences, articles and talks in the last couple of years - they
>> were not discovered in this document, and it would be weird if they were
>> omitted from a discussion on DNS privacy released in 2020. The fact that
>> Mozilla is at this time the only company adopting that model is just
>> coincidental, apart from perhaps reflecting the fact that others think that
>> that model is not a particularly good idea.
>>
>> In a modern environment, the concept of host is very fuzzy. We get all
>> kinds of special devices. We also get containers or virtual machines
>> running inside hosts. A browser is in practice such a container. There is
>> not a difference of nature between a separate subsystem like a browser
>> environment and a separate device. If a browser embeds its own stub
>> resolver, users can configure the resolver of their choice in much the same
>> way that they can configure the resolver of their choice using a device
>> configuration UI. There are differences in management, but these
>> differences fall largely outside the scope of the DNS privacy draft.
>>
>> In both cases, users are very likely to configure a well-known service.
>> There is not much the difference between setting the device's preferred
>> resolver to 8.8.8.8 and setting the browser's choice to "Google DNS"? In
>> both cases, the centralization effect results from the popularity of the
>> service, unless you are specifically accusing Mozilla of conspiring to
>> centralize the DNS. And a privacy RFC is not the right place to do that.
>>
>> You seem to miss the point, which is not about users setting their
>> preferred resolver at the application level, but about applications that by
>> default ignore the resolver settings in the device and pick their own
>> preferred resolver independently from the user.
>>
>> In a market in which there are few choices, indeed this behaviour
>> promotes centralization: we know that most users do not change the
>> defaults, and if most users of a popular application start using a single
>> resolver in place of a broad set of local resolvers scattered around the
>> Internet, of course the resulting traffic pattern is more centralized.
>>
>> We also know that centralization of the DNS is potentially a privacy
>> threat, as it makes it easier to track and correlate multiple activities by
>> the same individual. This does not seem contentious - it was actually the
>> first example in last year's IAB "DEDR" workshop charter.
>>
>
> That seems quite contentious to me.  Decentralization of the DNS is _also_
> a privacy threat: running your own recursive leaks your IP to every
> authoritative (far worse than ECS!), pinning yourself to a unique recursive
> makes you uniquely identifiable as you move across the network, and using a
> recursive whose identity is unknown is obviously a privacy concern.
>
> There are many possible resolution configurations, and none of them offer
> perfect privacy.  The exact tradeoffs between them are very much in flux as
> the relevant standards and practices evolve.  If the draft tries to cover
> this topic it should present all of the risks in these different
> configurations, but I think it would probably be wiser to avoid claims
> about the privacy properties of deployment architectures.
>
>
Please let me point out that there is a repeated false dichotomy, regarding
running your own resolver software.

There is one specific mode, which most resolver software supports:
forwarder.
The resolution chain would then be application - stub software - local
forwarder - [possible additional forwarders such as on home "routers" or
wifi devices] - resolver - {authority servers}.

In the forwarder mode, many/most of the features of the resolver are
preserved/exposed, including things like caching, DNSSEC validation, and
client-facing DoT/DoH.

The important distinction is, the resolver in forwarder mode does NOT talk
directly to the authority server (and thus leak IP information) but instead
talks to another resolver.

The reasons for doing something like this are hopefully obvious enough: the
user gets the best of both worlds, in terms of privacy and in terms of
control via the software choice and configuration.

(There are reasons to encourage forwarders instead of hyper-local resolvers
beyond the privacy issue, such as the scalability of the entire DNS
ecosystem, which relies to a large degree on having fewer resolvers than
there are end hosts on the Internet.)

Given this third option (versus total decentralization and maximal
centralization), the importance of including this topic is paramount for
the privacy issues it covers.

I think the document is mostly fine, and modulo tweaks in the very specific
area, I don't see any reason to remove any content, only at most small
wordsmithing changes to address any technical errors.

Brian

v2.23.0 | Report a Bug | By Email